Data-at-Rest Protection Strategies

The purpose of this article is to address protection against loss of data.  I am defining loss in two ways.  The first is no longer having access to the data.  Lack of access may be because of hardware failure, for example a hard drive failure, or because the device holding the data is no longer available, for example due to theft.  The second definition of loss of data is when another party gets access to the data. I work under the assumptions in West Africa that hard drives fail often and if a computer is stolen it is unlikely that it will be retrieved.

This document is primarily addressing data-at-rest rather than data-in-motion or data-in-use.  This means the data is physically stored on your computer and the computer is off.  There are another whole set of strategies for protecting data-in-motion/use dealing with strong passwords, firewalls, secure network traffic, operating system updates, etc.

Physical Security

The best way to prevent the loss of data is to make sure the device that is storing it remains in your possession.  There are two ways to do this:

  • Cable Lock: For many years computers have come with lock ports.  A simple laptop cable lock can be purchased for less than USD $20 and is easily transportable.  While at home or travelling it is easy to attach the cable to a piece of furniture and perhaps keep the computer from being stolen in the first place.
  • Recovery Label: Once a computer is stolen it is unlikely that it will be recovered, but it may be worth planning for that possibility.  The device may be sold to a Good Samaritan who would contact you if they knew how.  Two companies offer ID labels that offer a reward and a way to contact you if your stuff is found: Stuffbak and BommerangIt.


Computer backups are one of those things that everybody knows is good, but we still don’t always do.  Worse, it is often a place we try to save money and get by with the least effective product.  It then becomes difficult to do and may take a long time, causing it to happen less often.

Over the years I have tried three categories of backup methods:

  • File Copy/Synchronization:Most external drives come with a free backup program.  What they do is very simple; they copy a list of files and folders on the computer to the external drive.  In case the computer drive is lost (failed or stolen) the important data is still available.  I have several problems with this method:
    • The destination is usually not encrypted and so is easily available to anybody who has access to the external drive.
    • These programs usually cannot handle open files.  Either you have to close everything before you do a backup, or any open files will not be backed up.
    • It is a data backup, not a computer backup.  If your hard drive dies, you have manually install Windows and all of your programs and only then can you copy your files back over.  That could take a long time.
    • It is not reliable.  I recently ran into a situation where the backup would only copy the file the first time, it would not copy it during subsequent backups when the file changed. For the computer in question that had happened over a year before on many important files.
  • Windows Backup: For many years and through several versions of Windows this has been my primary backup program.  It is free, it comes with Windows, it is a full computer backup (you can restore the entire computer from it), and it is reliable.  Since it came with Windows, if my computer died I could take my backup to another computer and at least get to important files.  Microsoft has vastly improved backup in Windows 7 and I would still recommend it over the File Copy method above.  My biggest problem with Windows Backup is that it is a full backup every time.  This can mean several hours backing up every week.  I also do not believe there is a way to password protect the backup file.
  • Full Backup Software:There are many good backup programs out there and this is not an attempt to evaluate all of them.  Many people have recommended Acronis TrueImageto me and so I tried it out, primarily because of the problems mentioned above with Windows Backup.  I have found it very easy to use.  I do a weekly differential backup (only the changes since the last full backup) with a full backup every five backups.  Here are the advantages that I see:
    • Differential backups mean that my backups do not take very long as it is only the files that have changed.  It also gives me file versions.  If I edited a file on Friday and backed it up on Saturday and Sunday realized I screwed up, I can go to a previous backup to get it back.
    • I have access to Bare Metal Restore, meaning that if my hard drive dies I can buy a new one, boot off of my Acronis restore CD and image my hard drive from my last backup.  I could be back up and running in a matter of hours with all of my files, programs, and settings.
    • Acronis backup files can be converted to Windows Backup files so they can be opened on other computers.

Acronis TrueImage Home cost me USD $39.  After what I have invested in the computer, NAS, external hard drive, and the work I have put into creating data it seems well worth that investment to make sure that not only do I have a good backup but that I can easily restore my system to full running capability.

Drive Encryption

For many years I have relied on my Windows password to protect my computer from prying eyes, but as I have worked more with retrieving data from failed drives I have realized just how simple it is to get data off of a hard drive.  The Windows password is essentially a data-in-use protection.  I can boot off a computer with another operating system from the CD drive or pull the hard drive out and connect it to another computer and easily access all of the data on it.  I have recently tried two approaches to encrypt the data on my hard drive so that it is useless to anybody else who gets their hands on my computer:

  • Software: Since my dad introduced me to computers, it has been my practice to partition my hard drive and use one for the system and programs and the other for my data.  I tried TrueCrypt which not only has had many rave reviews but is also free.  Because of my experience in trying to get an operating system running again when there is a problem and not wanting to mess with that, I decided to encrypt only my data partition. For the most part I had a very good experience.  There was no apparent system overhead from the encryption and all programs saw the drive just fine.  I was able to set TrueCrypt to auto mount the drive as soon as I logged in to Windows; it just required my encryption key.  TrueCrypt is also very flexible.  I chose to encrypt a whole partition, but it could have just been a file, even a file on a USB drive.  This would allow for a subset of data to be encrypted, like financial or donor records.  It also allows for a hidden partition that may pass cursory inspection by a security agency.  There were a few problems that I ran into:
    • Because I typed the encryption key in after I logged in to Windows, programs that automatically loaded and quickly needed access to the My Documents folder (which I moved to my data partition) would error out because it would not be available yet.  Note that this would not have been a problem if I encrypted the whole hard drive.  My encryption key would have been required at boot.
    • Backup programs that worked at the disk or partition level (ex: Windows Backup) could not access the encrypted partition.  I tried many suggestions but could never get around this.  I had to do a normal file backup which does not allow a bare metal restore.
    • Because it was a software solution, it was not always flawless.  I used it for seven months, and the last two months it often did not assign a drive letter to the partition.  I had to go into the program and manually reset it.

The benefit to a software solution like TrueCrypt is that it can work in your current situation.  I could encrypt a few files and put them on a USB drive, encrypt a partition or encrypt the whole disk.  I did not have to buy any special hardware or need any particular capabilities on my computer.

  • Hardware:A month ago I installed a Seagate Momentus FDE (Full Disk Encryption) drive.  This is one of a new series of drives that are self encrypting.  For years motherboards have allowed users to put passwords on hard drives. Although this provided protection from many data thieves, it really only wrote the password to the drive controller but did not affect the data itself.  Self encrypting drives use this standard to send the encryption key.  The hard drive “password” becomes the key by which all data stored on the physical platter is actually encrypted.  There are a few implications of this method:
    • Because the password is the encryption key, if you change the password, you essentially wipe the drive.  This is good for disposal.
    • The benefit to doing the encryption on the drive is that it is transparent to the operating system.  When I turn on my computer, the BIOS asks me for the drive encryption key and then unlocks it.  Whenever power is removed from the drive it is automatically locked.  My computer’s BIOS allows me to set other times it will be locked.  In my case, if I reboot or even put my computer to sleep the drive is locked.
    • Because the encryption is being done at the hardware level and is transparent to the OS, it has not caused any problems with backup software.  The drive is unlocked before the operating system loads so does not affect auto loading programs or services that need data off of an encrypted volume.
    • Since the whole drive is encrypted, you cannot protect only a single volume or hide an encrypted partition.
    • Your BIOS must support it.  Because it uses the ATA standard for hard drive passwords, many Intel chipsets support them.
    • Note that other manufacturers like Hitachi and IBM are also starting production.  I paid a premium of about 30% on the purchase price of the drive, but estimations are that this technology will become so ubiquitous that all drives in a few years will come with the technology.

One final note on encryption, we have a high rate of disk drive failure in West Africa.  In almost every case that I have worked with, we have been able to plug the drive into a USB enclosure and retrieve the data before the drive completely dies.  If a drive is encrypted, it removes that possibility.  That means good backups are even more vital if you use this technology.

Other Devices

For many years all of our important data has been stored on computers.  With increased use of other devices like smart phones and tablets, it is important to remember that they also need to be protected.  Much of the data that I mentioned in the first section is now stored on these devices.

  • Backup: There are two options for backup.  Several apps have been developed to backup devices to the cloud.  That is not always practical in areas with slow internet access.  My iPhone and iPad both automatically backup to iTunes when I plug them into my computer.  I try to do this at least once a month.
  • Encryption: I think that all of the modern smart phone operating systems offer an option to wipe a device if the wrong password is entered too many times.  I have that set on my iPhone and iPad for ten times.  There is a caveat that I just discovered, if you plug the device into a computer with iTunes, iTunes can still read all of the data on it without a password.  This area needs more research.

Image: renjith krishnan /


3 thoughts on “Data-at-Rest Protection Strategies

  1. I wonder whether this is definitely correct: “If a drive is encrypted, it removes that possibility [of recovering data using a USB enclosure]”. Have you verified for sure that this is not possible? If so, I wonder if it might depend on how sophisticated the enclosure is–i.e. whether the enclosure is able to receive and pass along the password request in order to unlock the drive.

    One other idea: if the enclosure truly isn’t an option, leaving the hard drive in the laptop and booting to a live CD (e.g. a Linux CD) might allow you to access the failing drive and copy its data to the new drive (which could be in a USB enclosure).

    1. When I looked into this I did not find a way to access a password protected drive via a USB enclosure. If you find a way to do this, I would really appreciate it.
      On the second idea, leaving the drive in the original computer would help in only a limited number of situations. For example, if the issue is software based (corrupted OS, virus issues, etc) that would still make the hard drive accessible. This is a case where I like the idea of hardware encryption because my boot CD does not have to have TrueCrypt on it in order to access the data.
      I have dealt with a large number of hard drive crashes where the drive has simply worn out or there is some other hardware failure. I attribute a lot of that to heat in Ghana, but there could be many other causes as well. What I have found is that accessing the drive in the computer, even through an alternative boot CD, does not help much. When I put the drive into a USB enclosure we have a very high rate of success in retrieving data, usually being able to image it to a new hard drive. My guess is that is either due to USB being able to handle more errors than IDE/SATA or that it runs at a slower data transfer rate. If a fully encrypted drive cannot be accessed via a USB enclosure this option is no longer available.
      Another issue that I have not researched but that is running through my head is the affect of corruption on an encrypted volume. If you have a word processor document for example, and the middle of the file is corrupted, you can still force the file to open and get the uncorrupted data out of it. If that file was encrypted and part is corrupted, would it make the whole file/volume inaccessible?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s